search
TwitterGitHubBlog

Password Spraying

hashtag
Password Policy

Enumerate password policy in the domain:

$ cme smb 10.10.13.37 -u snovvcrash -p 'Passw0rd!' --pass-pol
Cmd > net accounts /domain
PS > Get-ADDefaultDomainPasswordPolicy
PV3 > Get-DomainPolicyData | select -ExpandProperty SystemAccess

Example of net accounts output:

Name (EN)
Name (RU)
Value

Minimum password age (days):

Минимальный срок действия пароля (дней):

1

Maximum password age (days):

Максимальный срок действия пароля (дней):

90

Minimum password length:

Минимальная длина пароля:

10

Length of password history maintained:

Хранение неповторяющихся паролей:

24

Lockout threshold:

Блокировка после ошибок ввода пароля:

7

Lockout duration (minutes):

Длительность блокировки (минут):

30

Lockout observation window (minutes):

Сброс счетчика блокировок через (минут):

30

hashtag
Fine-Grained Password Policies

Map FGPPs to the users they're being applied to (need admin privileges by default):

circle-info

When it's critical not to cause a lockout on a user account with a FGPP applied, the safest approach would be to exclude users with msDS-PSOApplied or msDS-ResultantPSO properties populated (can be read by a regular user) from the spray list.

Check if exists:

hashtag
Validate Domain Users

Validate against KDC (doesn't causearrow-up-right accounts lock out) via Kerberos with NetExec:

Validate via cLDAP (LDAP Ping) with ldapnomnomarrow-up-right/ldeeparrow-up-right:

Validate via MS-NRPC (Netlogon) with NauthNRPCarrow-up-right:

hashtag
Get Domain Users

hashtag
Non-Authenticated (Null Session)

RID Cyclingchevron-right

If SMB null sessions are allowed on the DC, an adversary can get a list of all domain users via RID Cycling.

Another approach is to manually request all users via RPC ($IPC share):

hashtag
CrackMapExec

hashtag
rpcclient:

hashtag
net:

hashtag
smbclient (check):

hashtag
enum4linuxarrow-up-right / enum4linux-ngarrow-up-right:

hashtag
nullinuxarrow-up-right:

hashtag
Authenticated

Query LDAP for all domain user accounts via GetADUsers.pyarrow-up-right:

Query LDAP for all domain user accounts via windapsearcharrow-up-right:

Query LDAP for all active domain user accounts via go-windapsearcharrow-up-right:

hashtag
Shadow Spray

hashtag
Tools

hashtag
MSF

hashtag
kerbrute

Generate a wordlist of common usernames in an appropriate format and validate it against KDC (doesn't causearrow-up-right accounts lock out):

Perform password spraying for discovered accounts:

hashtag
pyKerbrute

hashtag
smartbrute

Spray single hash against a list of users:

Get domain password policy and active users:

Launch smart password spray with a hash:

hashtag
DomainPasswordSpray

Last updated